The IP-Tables plugin can gather statistics from your ip_tables based packet filter (aka. firewall) for both the IPv4 and the IPv6 protocol. It can collect the byte- and packet-counters of selected rules and submit them to collectd. You can select rules that should be collected either by their position (e. g. “the fourth rule in the ‘INPUT’ queue in the ‘filter’ table”) or by its comment (using the “COMMENT” match). This means that depending on your firewall layout you can collect certain services (such as the amount of web-traffic), source or destination hosts or networks, dropped packets and much more.

Of course this plugin uses libiptc and does not fork the iptables(8) / ip6tables(8) application. This means that it is talking directly with the kernel and the overhead is as low as it gets.

This plugin is a generic plugin, i.e. it cannot work without configuration, because there is no reasonable default behavior. Please read the Plugin iptables section of the collectd.conf(5) manual page for an in-depth description of the plugin's configuration.

Example graphs

Dependencies

Shipped libiptc

Linking with the libiptc has not been easy, unfortunately. Because that library used to be meant for internal use only, it was only available as a static library on many distributions. Linking a static library into a shared library requires special flags (-fPIC, → FAQs) being used when building the static library, which was often not the case.

Then libiptc was cleaned up and declared an official library. This means that many distributions now ship it as a shared library which can be linked with nicely, it now supports pkg-config and in general the world got brighter. The name of the package is usually something like iptables-dev. However, the interface has changed in a backwards incompatible way.

To avoid the problems of the “old” version, collectd ships an own version of libiptc as a fallback solution. If your distribution does not provide the library or a broken version, the shipped library is used. You can force to use the shipped library using the --with-libiptc=shipped configure option. (This feature is not yet released and will be included in the 4.8.1 and 4.7.4 releases.) The shipped version in turn requires certain header files which originate from the Linux kernel. Kernel headers need to be specifically prepared to be used in userspace, hence the headers are only looked for in standard include directories. You need to install those userland versions of the kernel headers in order to use the shipped libiptc. Under Debian, the package name for these headers is linux-libc-dev.

So you're basically left with three options:

Install the “new” version of libiptc (“iptables-dev” or similar).

Install an “old” version of libiptc if it is used with the appropriate flags or use an architecture which doesn't care.

Install the userland versions of the kernel headers (“linux-libc-dev” or similar). The needed header files are:

Real examples of deployment

How to marry shorewall accounting and collectd

There is a clear HOWTO enable traffic accounting using Shorewall, a high-level tool for configuring IP-Tables. It gives you nice a overview of the usage in command line, but unfortunately counters are gone after Shorewall or the server are restarted.

The idea is to mix standard Shorewall accounting with collectd to have cute and accurate graphs.